Back in March, we first announced the development of MidGARD. As launch looms, Falanx Cyber Defence’s Managing Director, Jay Abbott, gets into how MidGARD works, and where he got his inspiration from.
MidGARD was originally a project codename, and just a holder, but over time it became the obvious choice for what is in fact an entire ecosystem. The nine Norse realms really fitted what we were trying to achieve so as the ecosystem grew, so did the naming convention. Also, I’m not going to lie, we all love Marvel here…
In terms of our ecosystem, we will never be done. It will continuously evolve and grow in parallel to client need, service requirements and most importantly, the external threat landscape. One of the most important factors in our ecosystem is that it is based around a full microservice architecture leveraging large scale open source products as well as custom built microservices that can be adapted, replaced or added to in a matter of days.
This level of flexibility combined with a true implementation of DevOps and Agile, means that we are so much more flexible than the competition. Monolithic applications? No thanks, that’s so 1990.
Say you want MidGARD to interface with your own helpdesk solution and raise tickets in there instead of the MidGARD ticketing system? Ok, sure no problem. As long as your platform has some sort of API we are in.
The options are endless. You want a system that can integrate completely with your architecture, from collection to analysis to investigation and remediation? That’s us.
So let’s look at each of our core components, their Norse name and what they do.
We will start with AsGARD, the realm of the gods!
Asgard, in Norse mythology, is the abode of the gods. Access to Asgard was possible only by crossing the bridge Bifrost (the rainbow). Asgard was divided into 12 or more realms in which each principal god had his own luxurious mansion of gold or silver. The most important palace was Valhalla, the home of Odin, the chief of the gods.
AsGARD is where the SOC resides. It’s how we can manage MidGARD deployments at scale. Essentially think of it as the Eye of Sauron (yes, Lord of the Rings is also popular around here). We can see every event, alert, issue, investigation and problem happening in every MidGARD deployment we have. It’s quite clever.
AsGARD is also the home of Odin and the Realm of Valhalla!
Valhalla (Old Norse Valhöll,”hall of the slain”), in Old Norse mythology, is the hall of slain heroes, ruled by the king of the gods, Odin, in the realm of the gods, Asgard. The hall had 540 doors, through each of which 800 heroes could walk abreast, and the roof was made of shields.
Valhalla is where we do Machine Learning, Artificial Intelligence and Statistical Analysis. Essentially it’s a data lake with a copy of every event from every MidGARD instance in it, where we can perform real time and retrospective analysis of the data. Unlike other companies that pitch Machine Learning as being “better than a SOC”, we believe that experts in the loop add value. Our Valhalla has a “human to machine loop”. Expert analysts can use the platform to create and refine the algorithms being used to detect unknown issues. Good algorithms are improved, bad algorithms thrown away, along with all the false positives they created. After all it’s a service we are running, not a product designed to spam you in an effort to look good.
Next in our Norse journey is the Bifrost!
In Norse mythology, Bifrost is the bridge between Midgard, the realm of man, and Asgard, the realm of the gods. Since it is the only way for the giants to enter Asgard it is closely guarded by Heimdall, the watchman of the gods.
The Bifrost is a combination of multiple message buses and pathways between all of our systems. It facilitates our “Hive Mind” among other important things such as our ability to share data between MidGARD and AsGARD as well as open “rainbow bridges” to pull forensic data off the MidGARD collectors or even connect into a client’s environment for “real-time response” as needed.
Last but by no means least we have MidGARD!
In Norse myth, the defensive fortress which the gods build about the middle portion of the earth allotted to men in order to protect mankind from the giants.
MidGARD is the culmination of many years of thinking on how to do detection and monitoring the right way, as an end to end process that doesn’t leave you guessing at any stage of the equation. Think of it as a “stream based processing engine” that can take any form of input (telemetry data) and run it through a parsing and tagging engine to normalise and align to CEF, then an enrichment bus where data is augmented with more data and enriched automatically through threat intel lookups, “Hive Mind” intelligence and any other number of magic tricks, before its run through a triage and alerting system and eventually written to disk for retrospective investigation. In case you missed that, to clarify, the entire process from ingestion to alert is “in memory!” and real time (give or take some network congestion along the way). Only after we have improved, analysed, actioned and alerted do we write it to a disk, and then when we do we write it into your very own Elastic Search index so you can use the awesomeness that is Kibana to query, analyse and define new and interesting questions to ask of the data.
Beyond the processing engine, we have spent a lot of time in our SOC building and developing the UX. Not just an interface with graphs and numbers, we have developed and implemented the full end to end work flow for investigations, ticket management, search, analysis and every other thing you could want. Collaboration? Oh yes, we do that like no other. How about a dedicated Rocket chat instance as part of your deployment? Completely integrated into the toolset with commands, screen sharing and other collaborative things too numerous to mention here. Want to do your own investigations? Feel free, if you get stuck just type “/help falanx” and one of our analysts will join your chat instance to work through the problem with you. Want to run several on premise SOCs in multiple locations but still need that pesky night shift covered? Not a problem, you guys do 9-5 and we will pick it up 5-9.
There is so much innovation in this product its literally too numerous to mention, but you don’t have to take my word for it – get in touch, arrange a Proof of Concept and let us prove its value.